Originally written by Katelin Kennedy
The best time to plan for GDPR compliance is 3 months ago. The second best time is now.
– Maybe a Chinese proverb
If you’re like many entrepreneurs and business owners on this side of the Atlantic, myself included, you made like an ostrich and stuck your head in the sand when you saw articles about “that new European privacy law” the last few months. Starting on May 25th, the General Data Protection Regulation (GDPR) is officially the law of the land for processing personal data of individuals in the EU (aka “data subjects”). Don't fret; I shook off the sand and jumped into the deep end for you. This is the first in a series of posts to help get you up to speed and highlight some of the key requirements you may need to implement to ensure your company is compliant.
How do I know if the GDPR applies to my company?
The obvious first question, because you may be hoping you don’t have to worry about it at all.
You’re on the hook if your company:
Has an office in the EU;
Is outside of the EU but processes personal data of individuals who are in the EU in connection with offering goods or services to individuals in the EU; or
Is outside of the EU but processes personal data of individuals who are in the EU in connection with monitoring behavior that takes place within the EU.
You may not be on the hook if:
Your company has a website that is accessible by individuals in the EU, but your website does not intentionally cater to EU individuals (such as by allowing them to order goods using their currency).
You completely block EU users from your website outright and avoid offering any goods or services to individuals in the EU. The tools available to block EU users might not be failsafe, so DYOR and proceed at your own risk.
In short, the GDPR applies if your company has known customers or connections to individuals in the EU, a significant online presence (even if you don't have any paid EU customers), or if you sell wearables or other smart devices that are used by individuals in the EU.
What counts as processing personal data?
The GDPR rules and obligations are related to processing personal data, so you need to know what counts as “processing” and what is included in “personal data.”
Processing essentially means anything you can possibly do with data. It is defined in the regulation as “any operation or set of operations on the data.” In other words, any collection, recording, organizing, structuring, storage, alteration, retrieval, consultation, use, disclosure or dissemination, combination, deletion, or destruction of personal data counts as processing.
Personal data also casts a wider net than you might expect. Defined as “any information relating to an identified or identifiable person,” personal data includes information about an individual’s background, family and lifestyle, education and training, medical details, employment history and status, finances, contractual details (such as goods and services provided to a data subject), and online identifiers.
Online identifiers are provided by a data subject’s devices, applications, tools and protocols. IP address, cookie identifiers, and RFID tags are examples of online identifiers that constitute personal data. Even though online identifiers don’t identify an individual outright, they are still considered personal data because they can be combined with other information to identify users or create user profiles, for example. Special shout out to the IoT companies on this one.
Here are a few examples of data that is not personal data, or to which the rules do not apply:
Information that is completely anonymous or is rendered anonymous so that the data subject cannot be identified
Information about a company (but be careful because the email addresses of individuals working for given entity are still personal data)
Information about a deceased person
What rules do I have to follow when processing personal data?
It depends. Totally unsatisfying answer, I know, but we’re talking about a complex regulation. The requirements, responsibilities, and restrictions applicable to your business will depend on various factors, including: whether you are operating as a data controller or data processor, the types of data you process, and the purpose and lawful basis for which you are processing. Keep checking the blog for updates, and don't hesitate to reach out for assistance with the compliance process.
What is the difference between a data controller and a data processor?
Determining whether you are a data controller or data processor is an important first step, because there are different rules and responsibilities for data processors and data controllers.
A data controller determines the purposes and methods of processing personal data. You are a data controller in the context of collecting email addresses through your website to send regular newsletters related to your service.
A data processor processes the personal data on behalf of the controller. An automated email service is a data processor for the purpose of processing the personal data (email addresses) to send to your email newsletter recipients.
Plot twist: You could be a data processor and a data controller.
For example, if you are a B2B company that offers data analytics for other companies, you are a data processor with respect to the data of your client’s customers that you process on behalf of your client. Your client is the controller over the data it directs you to process, because your client determines the type of data collected (and provided to you), as well as the purpose and legal basis related to your processing of that data. You are also a data controller with respect to personal data you process in connection with providing your service to your client. This would be the case, for example, if you create unique user accounts on your analytics platform for your client’s employees who are in the EU.
If the determination is unclear given the context of your operations, remember this: You are a data controller if you are determining how and why personal data is collected. You are a processor if you are simply facilitating the data processing under the direction of another party.
Stay tuned for a later post about joint controllers.
As a data controller, you are responsible to comply with the rules related to the six Data Protection Principles, and you must be able to demonstrate your compliance. As a processor, you are responsible to process data in accordance with an appropriate written agreement between you and the controller.
What are the Data Protection Principles?
The Data Protection Principles are the foundation of the GDPR, and controllers have to comply with the corresponding rules. In addition to the highlights below, each principle and its corresponding rules will be discussed in separate posts.
(1) Lawfulness, fairness, transparency
Data collection practices should be transparent and clearly communicated to data subjects.
There must be a “lawful basis” for all processing activities, determined prior to processing.
(2) Purpose limitation
Processing has to be linked to a specific and legitimate purpose.
(3) Data minimization
Processing should be relevant and limited to only what is necessary for the contemplated purpose(s).
Data must be kept complete and accurate, and updated or corrected as necessary.
(5) Limited retention
Data should only be stored as long as is necessary for the contemplated purpose(s).
(6) Integrity and confidentiality
Processing activities should be conducted using appropriate organizational and technical measures to ensure adequate security.
There is still a lot of ground to cover, but you can get a head start by conducting an assessment of your data collection and analytics processes and operations. You have to know where you are before you can map out the best route to get to the compliance finish line.
Send us a message, we would love to help you get on the right track!
*This blog provides general information for educational purposes only. It is not intended to constitute specific legal advice and does not create an attorney-client relationship.*